AgentComm
MaliciousAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: agentcomm Version: 1.0.0 The skill is classified as suspicious due to several critical vulnerabilities and risky capabilities. The `nostr_comm.py` file allows the agent to upload arbitrary local files to IPFS via `share_file` and download arbitrary IPFS content to any local path via `download_file`, creating significant data exfiltration and arbitrary file write risks if the agent is prompted maliciously. It also executes shell commands via `subprocess.run` for `pip install`, demonstrating a capability for arbitrary command execution. Additionally, the private key (nsec) is printed to stdout during identity generation, exposing a sensitive secret, and a fallback IPFS upload endpoint (`https://uploads.ipfs.io/api/v0/add`) is used which appears to be an unknown or non-standard public upload service, raising concerns about untrusted network interactions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may modify the user's Python environment and install third-party code without the normal install-time review or version pinning.
Importing or running the skill can execute pip to install a package automatically. This is not reflected by the 'No install spec' registry information and uses an unpinned package name.
except ImportError:
# Install nostr library
subprocess.run(['pip', 'install', 'nostr'], check=True)Remove runtime auto-installation, declare dependencies in the install spec, pin versions or provide a lockfile, and require explicit user approval for dependency installation.
Sensitive files shared through this skill may become retrievable by anyone with the CID/link and may persist on IPFS; the public upload service can also see the uploaded file contents.
The provided file upload path reads local file bytes and uploads them to IPFS infrastructure, including a public fallback upload endpoint, then returns a public gateway link. The artifacts do not clearly show file-content encryption before upload.
with open(file_path, 'rb') as f:
files = {'file': f}
response = requests.post(..., files=files, timeout=60)
...
"https://uploads.ipfs.io/api/v0/add"
...
"gateway_link": f"{self.gateway_url}{result['Hash']}"Encrypt file contents locally before IPFS upload, clearly warn that IPFS content is public and persistent, disable public upload fallback by default, and require explicit confirmation for every file upload.
Users may share private documents thinking the file itself is encrypted, when the artifact evidence only supports encrypted messaging of the IPFS reference.
The wording emphasizes end-to-end encryption and an encrypted link, which can lead users to believe file transfers are confidential, while the provided code shows raw file upload behavior to IPFS-related endpoints and only the link/message is clearly encrypted.
**End-to-end encrypted** — Only sender and recipient can read messages ... File uploads to IPFS, recipient receives an encrypted link.
Clarify that Nostr messages are encrypted but IPFS file contents are not shown as encrypted unless an explicit encryption step is added; update the documentation and UI warnings accordingly.
Anyone who sees the nsec private key in logs, transcripts, or shared output could impersonate that identity or decrypt messages for it.
The generated Nostr private key is printed for the user to save. This is expected for identity setup, but it is a credential that controls the agent's Nostr identity and encrypted messages.
print(f" nsec: {self.private_key.bech32()} (SAVE THIS!)")Treat the Nostr private key as a secret, avoid leaving it in chat/log history, store it in a secrets manager or protected environment variable, and declare the optional credential in metadata.